Given the widespread popularity and quotidian usage of mobile apps, the issue of privacy should not be forgotten. Last year the Information Commissioner’s Office (ICO) conducted a thorough privacy review of 21 popular mobile apps, and recently published a summary of the results on its blog. Although the findings were not excessively alarming, app developers should be reminded that their products must ensure a high level of data security in order to avoid security breaches and subsequent fines of up to £500,000.
One of the issues found was the use of unencrypted connections to transmit personal data, allowing attackers to glean information such as usernames and passwords. Disturbingly, of those apps using encrypted connections, several failed to check digital certificates accurately. This meant the ICO was able to successfully carry out ‘man-in-the-middle’ attacks using fake certificates, and intercept personal data from transmissions that should have been secure.
The ICO also highlighted several further concerns, including the setting of cookies without consent, the use of default passwords, and the transmission of passwords within the URL. Further mobile app reviews are to be conducted, and developers have been urged to carefully consider data protection issues so as not to repeat the same mistakes. All developers are reminded that security breaches can be costly, both financially and in terms of brand reputation.